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Security proof of practical quantum key distribution schemes 



in 
o 
o 

S3 

(N 



> : 
\o . 
■ 

vo : 
o . 

in ■ 
o ■ 

^ : 

9 L,: 
-i— > ■ 

G ■ 
cd 

3 : 
cr 



13 



Yodai Watanabe 

National Institute of Informatics, Research Organization of Information and Systems 
2-1-2 Hitotsubashi, Chiyoda-ku, Tokyo 1018430, Japan 
(Dated: February 1, 2008) 

This paper provides a security proof of the Bennett-Brassard (BB84) quantum key distribution 
protocol in practical implementation. To prove the security, it is not assumed that defects in the 
devices are absorbed into an adversary's attack. In fact, the only assumption in the proof is that 
the source is characterized. The proof is performed by lower-bounding adversary's Renyi entropy 
about the key before privacy amplification. The bound reveals the leading factors reducing the key 
generation rate. 
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One of the fundamental problems in cryptography is 
to provide a way of sharing a secret random number be- 
tween two parties, Alice and Bob, in the presence of an 
adversary Eve. The quantum key distribution is a so- 
lution to this problem^, ; indeed it allows Alice and 
Bob to generate a shared secret key securely against Eve 
with unbounded resources of computation. The security 
of quantum key distribution against general attacks was 
first proved by Mayers^^- Later, Shor-Preskill^l| pro- 
vided a simple security proof based on the observation 
that quantum key distribution (BB84 protocol) is closely 
related to quantum error-correcting codes (CSS codes). 
Gottesmann et al.® showed that the Shor-Preskill proof 
is still valid as long as the source and detector are perfect 
enough so that all defects can be absorbed into Eve's at- 
tack (see also Q, for the rate achievability of quantum 
codes in the security proof). In contrast to the security 
proof based on quantum codes, the Mayers proof has a 
remarkable characteristics. Namely in the Mayers proof, 
although the source has to be (almost) perfect, there is 
no restriction on the detector; in particular, it can be un- 
characterized. By exchanging the role of the source and 
detector in the Mayers proof, Koashi-Preskill 9J provided 
a security proof which applies to the case where the de- 
tector is perfect, but the source can be uncharacterized 
(except that the averaged states are independent of Al- 
ice's basis). The aim of this work is to generalize these 
results. We provide a security proof of the BB84 protocol 
in which the only assumption is that the source is char- 
acterized. In the same way as Koashi-Preskill0, this can 
be transformed into a security proof which is based on 
characteristics of the detector. Further we note that the 
security proof also applies to the B92 protocol^. 

Let us first recall the BB84 protocol^- Let Tt be a 
Hilbert space. Let A — {1, ■•• ,N}, and for B C A 
denote the cardinality of B by ng. The BB84 protocol is 
described as follows. 

BB84 protocol: (i) Alice generates two binary strings 
a A = {ai}i e _4 and x A — {xi}i g _4 according to the 
probability distribution p(a A , x A ) — Y[iPat,xi- (ii) Bob 
generates a binary string b A = {b{\nzA according to 
the probability distribution p(b A ) = TliPfci- ( m ) Alice 
sends the quantum state on TL® N , p A x = ® ; 



to Bob. (iv) Bob applies the measurement on 7i 5 



y^£{0,l,<f>} N > 



to the received 



quantum state, where Eq^ = E\^ is the measurement 
corresponding to the result that Bob cannot detect a 
state, (v) Alice and Bob open a A and b A respectively. 
Let D = A\Vi j= (j)} and C = {i S X>|a, = &<}. Al- 
ice and Bob select a random subset TcC (which does 
not necessarily satisfy nr/nc ~ 1/2). Let JC = C — T. 
(vi) Alice and Bob compare x T and y T , and count the 
number of errors, = \{i G T\xi ^ Vi}\- (vii) Bob 
estimates x by exchanging error-correction information 
with Alice, (viii) Alice and Bob generate a secret key s 
by applying a compression function to x . 

To prove the security of the BB84 protocol, the previ- 
ous works® m muni* assume that either Alice's source 

or Bob's detector is almost perfect in the sense that all 
defects in the device can be absorbed into Eve's attack. 
We wish to prove the security of quantum key distribu- 
tion under practical implementation. Note that the pre- 
vious security proofs have been based on directly bound- 
ing Eve's mutual information about the final key, i.e. the 
key after privacy amplification. In this work, we first 
lower-bound Eve's Renyi entropy about the key before 
privacy amplification, and then apply privacy amplifica- 
tion in the classical information theory which makes use 
of a compression function in a universal hash family (see 
for the classical theory of privacy amplification). 

We now provide basic definitions which will be used 
later (see e.g. J8J for details). The variation distance 
between probability distributions p and q is given by 
dv(p,q) — IXiu Ip( w ) ~ ffC^)!- The quantum analogue 
of the variation distance is called the trace distance. For 
an Hermitian operator X with the spectrum decompo- 
sition X = ^iXiEi, define the projection {X > 0} by 
{A" > 0} = J2i :x > oEi. Then the trace distance be- 
tween quantum states p and tr, (1t(p,<j), is given by 
d T {p,a) = |Tr|A| = ±Tr(A{A > 0}-A{-A > 0}) with 
A = p— a. The trace distance can be bounded by another 
distance called the fidelity as dr(p,cr) < \/l — F(p, a) 2 , 
where the fidelity F(p, a) between p and a is given by 
F(p,a)=Tr\^/p^\. 

Let z be the output of the measurement by Eve. Then, 
without loss of generality, the probability distribution of 
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the random variables can be written as 

pC(x, y, z) = p{x c ,y c ,z\a A , b A , x T , y T , V, T) 

= fi(x)Tr(E£ y <g> E z )U(p c atX p E )Ul 

Here, p E is the initial state of an ancilla system in- 
troduced by Eve, E z is the Eve's measurement on the 
ancilla system, and U is the Eve's unitary operation act- 
ing on the composite system. (The quantum channel is 
assumed to be under Eve's control). For B C C and p a 
as above, let denote the marginal distribution of the 
random variables defined on B. 

We begin with decomposing p a (a,x S {0, 1}) as 

Pa,x — P a ,xPa,x > Pa,xPa,xi Pa,x> Pa,x ^ ^ V 1 *- 1 1 \ x ) 

where + Pa/x = 1, Pa.xP^x = P^ for a positive con- 
stant < mhi atX {p a iX }, and has a Schatten de- 
composition of the form 



Pa}x — ^ Xg.x [kg,x) \kg, x ) {kg^x | ■ 

fca.x 



(2) 



We note that /9 ai2: always has a decomposition of the 

above form (where we allow p a } x = p a ] x ). Let A" = 
{(0,0), (0, 1), (1,0), (1, 1)}. We now construct a set of 
pure states, {p a } a& x, such that there exists a physi- 
cal transformation from {p a }aex to {p^} a ex- Let p a p 
{a, /3 € A") be a mapping from {\k a )}k a to {\kj3}}kp with 
p aa being the identity on {\k a )}k a , and introduce the 
Gram matrix G by writing 

[G] a p = ^ y 1 \a{k a )X0{k a p){k a \k a p){4> ka \(j) kal3 ), 



where \k a p) = p a /3(\k a }) and \<pk a ) is a state on an ancilla 
system TL^. Since G > 0, there exists a square matrix 
C such that G = C^C. Further, since all the diagonal 
elements of G are 1, we can define a pure state p a (a G X) 
on a 4-dimensional Hilbcrt space TL^ by 

= |Ca)(Ca|) 

where C a denotes the a-th column of C. It follows from 
this construction that there exists a physical transfor- 
mation from {p a }aex to {pa^}aex (see 0). Now we 
introduce an approximation of {p a }aex which is easier 
to treat in the security proof. Let TL2 be a 2-dimensional 
subspace of H4, and <j a ,x (a,x £ {0, 1}) be states on Ti.2 
such that 



phase reference, p a — ^ fcgN (// fc /fc!)e~' i |fc; a|, for 
instance, we can take for a, (3 € X and k G N, p^ — 
Pa = <J a = Pa = p-e^i 1 , fi a p(\k; a)) = \k;/3) 

and \<f>k;a) =\4>)- 

The decomposition Q allows us to consider that the 

Alice's source generates pa}x with probability p a l and 

Pa)x with probability p a X )x . Further, we assume that Eve is 
informed of partial information about each state pa gen- 
erated by the Alice's source: (i) pa = p'al or pa — p a ,x 
and (ii) p A = p^l or p A = p^l when p A = pa/x- This 
assumption is advantageous to Eve, and hence does not 
reduce the security of the protocol. Let C C JC be the po- 
sitions where pa}x is generated, and M. = K, — C. We now 
fix C and Ai, and consider the best success probability 
to estimate x M from p a \x M and a M . Here note that we 
can estimate each bit Xi of x separately because each 
state p ai ,xi is generated independently of the other bits 
{x v \i' G M}. For a G {0,1}, let {T Oj0 , T a , u T M } 

be a POVM on W which is used to discriminate p^\ and 
p^\, and let p^p be the conditional probability defined by 

Pa = {Pa,oP^~l + Pa,iP ( a\)/(Pa : o + Pa.i)- Furt her, define 
for a constant Sj^ > 0, 



P- 



' M 



(pm - S%i) 



a (1) 



exp(—n c A D(B 1 (p a A 



Pm = 
\Bi(p a M 



„a 



s a M ))), 



where = \{i G B\a.i = d}\ for B C A, B x denotes the 
Bernoulli distribution, and D(p\\q) is the relative entropy 
of p and Here let us consider the condition C given 

by 



C : Trp^p^T aj2 



where pifi = p a ,xPaYx/ (jPaflp fp + Pa.ipia) for (i G {0, 1}. 
Then it can be verified that Pr^[^C] < e^,, where the 
probability Pr.4 is taken over the randomness in choos- 
ing V,T,C G A (see e.g. 5j). Suppose now that the 
condition C holds. Then we have 

n a M <n a + = m^{n a M \p a _ < 1}. 

Also, we can write the best success probability of the 
discrimination as 



> 



V Trn (1) n {1) T 

/ , r J-i pa.xya^x-L a,x 
T a ,a,T a<1 :C I E„^pl!^i!K 



s M = sup 



co,o + cro,i = 01,0 + CTl,l 



'w 2 



where, for a Hilbert space H, In denotes the identity 
on Ti. Note that the decompositions and J5J and 
the choises of p a /3, \4>k a ) and a a , x are not unique; they 
should be determined so that the distance d,T{<J a ,XT Pa.x) 
will be minimized. In the case of coherent states with no 



Let z* be a random variable induced by a measurement 
on p^ x . Then, by definition of s^U, it follows that 

p5{x\z*)<pZ{x\zn{sld n ° M {sM) nlM - (3) 

Having considered the M. part, we next consider the 
C part. Let us first estimate the error rate p e c at C from 
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p'j- = n^/nt, the error rate at T. On remembering that 
the error probability of the discrimination at M. is at 
least 1 — s a M for a basis a, define for a constant S p > 0, 

+ _ riKPr + n c$ P -n° M (l- s%) - n]^(l - s x M ) 

P c ~ ' 

e c T = exp ( - n T D{B 1 {p e r )\\Bx{p e r + 5 p )). 

Then we have Pr^[p|- > p^\ < = Cq 4 + e-j^ + ef-, from 
which, it follows that 

Pa(x,y,z) < nc- (4) 

x,y,z:\x®y\>ncP% 

Now, let us consider a modified protocol in which Alice 
sends p£ x (instead of jo£ x ), where a denotes the bit- wise 
inversion of binary string a. Let p^ be the corresponding 
conditional probability in the modified protocol. It then 
follows from the monotonicity of the trace distance that 

dv(Pa{n,y,z),p~(x,y,z)) < d T {Pa,Pa), (5) 

where p a = \Y, x Pa,x for a G {0,1}. We note 
that driPaiPa) can be bounded as dr(Pa,Pa) — 
sjl - F(p ,pi) 2n £. From inequalities (@J and JSJ , it fol- 
lows that 

P&(x,y,z)<fJ>c + dr{pa,Ps)- ( 6 ) 

x,y,z:\x®y\>ncpj. 

Let us now introduce the POVM {M a<vz } VlZ by writing 
Pa{ x ,V, z) = Trpf (x)p^ x M a ^ yz 

with Pa{x) = Y\ifzcPa},xi — 2~ nr - , where, for simplic- 
ity, we have omitted deviding the right-hand side by 
S a z T r PaM a ,yz because it will be canceled when we will 
consider the conditional probability p£ (x\y, z). Now, let 
us consider the case where Bob uses the opposite basis a 
at C and introduce the notation y by writing 

Pa(x,y,z) = Trp^(x)p^ x Ma :V z- 

Note that E 0t0 + _E ,i = -Ei.o + £1,1, and so p% (x, z) = 
J2 y Pa( x >y> z ) = Y, y Pa( x ,y, z )- Tnat is > the probability 
distribution p^{x, z) is independent of the basis used for 
the Bob's measurement. Thus, in the sequel, we will 
consider p a (x, y, z) rather than p a (x, y, z). 

To examine the security of the protocol, it is more 
convenient to treat a a , x than p a . x . Thus, define 

Pa(x,y,z) = TTp^(x)a^ x M a ,yz- 
The monotonicity of the trace distance gives 

dv(Pa( x ,V, z ),Pa( x ^y, z )) < "C, 
"C = YPa( X ) d T(pi x ,Va, x )- 

X 



This, together with JJJJ, yields 

J2 Tr(a§ - 5y)M- a , yz < p c + v c + d T (pf , p£), (8) 
y,z 

where we have defined 

°y = Pa( x )^n,x- 
x*~ :\x@y\<~n cp^ 

Inequality (JHJ) can be seen as a restriction on Eve's mea- 
surement. To take advantage of this restriction, we now 
construct a projection on 7i® nc , Py, which sufficiently 
preserves <jy. For this purpose, let us first consider the 
problem of quantum hypothesis testing, where two hy- 
potheses are, for fixed base a G {0, 1}, H a : p = a a G H2 
and Hi : p = <r a ,i G Hi. If {P a ,x}xe{o,i}> defined by 

Pa,x — \&a,x &a,x ^ 0}i 

is used as a test for the hypothesis testing, then the suc- 
cess probability s a c is given by 

s c = \( l +^t(o- ,o,o" 0i i)). 

Suppose now that we receive a product state a^ x from 
the Alice's source, and estimate x by applying the above 
hypothesis testing to each individual state. Let k be an 
integer such that < k < nc- If we allow up to k 
errors in the estimation of ri£-bit string x , then the 
error probability e p (i.e. the probability that we make 
more than k errors) can be bounded as 

where s™ = min{s£,S£}, n c = n,£ — n Cl and we have 
used, for < k < n and < q < 1, 

with h{p) — — plogp— (1— p)log(l— p) (see e.g. |5j). We 
are now in position to construct Py. Let Sp = and 

p* = p\ + Sp. Define the projection P y on TL C by 
Py = (^) ,xi ■ 

x c :\x(By\<ncp* 

Then it can be verified that TrSj^c — P y ) < e p Tia y , 
which shows that Py is a required projection (provided 
that 1 — s™ is sufficiently small). 

Having constructed the projection P a ^ x , we now bound 
the conditional probability p^(x\y, z). Since 

p£(jf, z) = Tr^M yz = irc = 2- n ^rM yz 
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with My Z = Ma.yz for short, we now bound p^(x,y,z). 
It follows, on using TrP y < 2 nch{p "\ that 



If vc = 0, for example, we can take = — log He and 



Define 



where, for a G {0,1}, q a = raaXa. iiB / e {o,i}{Tro- 0ia .P 5|lc /}. 
Define now 

p' a (x,y,z) = Tr(I n c - Py)p^(x)a^ x (I n c - P y )M yz . 

Since a~ = a£ = (a£ — &y) + <r y , Py and ay commute, 
and J2 y Tt °v < 2 nch(p c\ we have 

' pi:(x,y,z) 

x,y,z x,y,z 1 a v ' ; 

Hence Markov's inequality for a constant c > yields 
PrpoIpK^y^) < co^pf (x,y,z)] > 1 - c -1 , 

where c should be determined so that Eve's mutual infor- 
mation about the final key will be minimized. Further, 
Schwarz's inequality gives 

Tr P y p^{x)a^ x {I n c -Py)M a , yz < {n c p' a (x, y, z))i 
Therefore it follows that 

p£{x,y,z) < ((tt £ )3 + (p' a (x,y,z))?) 2 , 

and so 



Pr Pa [p^(x\y,z)>Il c ]<-, n c 



7T £ (l - (cue)?) 2 



(9) 

Now, it follows from inequality © that the conditional 
Renyi entropy R^(X\y c , z) can be bounded as 

R K a {X\f, z) = - log£ (p£(X = x\Y = y c ,Z = z)f 

X K 

>R c a {X\y,z) + R^_, 

where R^_ — — n %\ l°S s vU' an d a capital letter (say 
X) denotes the random variable which samples the cor- 
responding small letter (say a;). Now, using constraints 
and |J3J, let us derive another constraint of the form 

Pi Pa [R£(X\y,z)>R£_]<ec. 



R%= min {Rt+R™}, 



and let m be an integer such that I = R^ — m > 0. 
Choose a function g at random from a universal family 
of hash functions from {0, 1}™ to {0, l} m . If Alice and 
Bob choose s = g(x K ) as their secret key, then the Eve's 
expected information about S, given Z and G, satisfies 
I(S : Z,G) < ri£ec + 2~ l /\n2, where we consider Y as 
an auxiliary random variable (see [3| for details). Here 
we note that R 1 ^, is not explicitly dependent on the char- 
acteristics of the detector, and hence the detector can 
be uncharacterized. Further, as ri£ — > oo, the terms vc 
and dxiPa j Pa) approach to 1 unless p a . x = a a . x and 
Pa — Pa! this shows that the leading factors reducing 
the key generation rate are the asymmetries of the source 
represented by these terms. 

To see that our result is consistent with the previous 
ones, suppose that the source and detector are perfect. 
In this case, we can take p a °x — o a ,x — Pa.x, C = K, 
Pc = 4-> v c = 0, d T (p%,p£) = 0, logg a = -1, dp = 0, 
e p = 0. Since uic = £§- — * as n/c — > 00 for fixed 
S p , R^/nic approaches to h(p^-) for sufficiently small c -1 
and Sp. This is consistent with the results in the previous 

vrorks|i H0]1 QUI. 

We close this paper with mentioning some extensions 
of this work, (i) In the same way as Koashi-Preskillj^, 
we can provide a security proof of the BB84 protocol 
where the only assumption is that the detector and basis 
dependence of the averaged states are characterized, (ii) 
It is also of importance to give a security proof of the 
B92 protocol[lJ. Suppose that the source generates po 
with probability po and p\ with probability p\ . Then we 
decompose p a (a G {0, 1}) as p a = pf ] pi 0) + p[^ pi 1 ' so 

that poP^ — PiP^ ■ Again we define p a by introducing 
the Gram matrix as above. Note that p a is a pure state on 
a 2-dimensional Hilbert space 7^2- Hence, the terms vc 
and dxiPa, Pa) automatically vanish in this case, which 
could be considered as an advantage of the B92 protocol. 
More detailed investigation concerning these extensions 
will be the subject of future work. 

The author is grateful to Dr. Keiji Matsumoto for 
comments. This work was supported in part by MEXT, 
Grant-in- Aid for Encouragement of Young Scientists (B) 
No. 15760289. 
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